On this page

SSF Transmitter SET payload structures

Okta uses the Shared Signals Framework (SSF) (opens new window) to send security-related events and other data-subject signals to third-party security vendors.

To enable the transmission of signals from Okta, you must create an SSF stream (opens new window) using the SSF Transmitter API (opens new window). Then, configure the third-party receiver to accept signals from Okta.

Note: See Configure a shared signal transmitter (opens new window) to use the Admin Console to configure an SSF transmitter.

Supported events

The Okta SSF Transmitter currently supports two types of Continuous Access Evaluation Protocol (CAEP) (opens new window) events: Session Revoked (opens new window) and Credential Change (opens new window). Those events are mapped to an Okta event.

The following Okta event (opens new window) is mapped to the CAEP Session Revoked event: user.session.end

The following Okta events (opens new window) are mapped to the CAEP Credential Change event:

  • user.mfa.factor.activate

  • user.mfa.factor.deactivate

  • user.mfa.factor.reset_all

  • user.mfa.factor.suspend

  • user.mfa.factor.unsuspend

  • user.mfa.factor.update

  • user.account.reset_password

  • user.account.update_password

SET JWT schemas

SETs are a type of JSON Web Token (JWT) that must comply with the SET RFC (opens new window).

Use the following links to learn more about the SET structure that Okta supports:

SET JWT payload examples

The following are examples of the JWT payload when an Okta event is fired.

CAEP Session Revoked - user.session.end

{
   "iss":"https://org.okta.com",
   "jti":"24c63fb56e5a2d77a6b512616ca9fa24",
   "iat":1615305159,
   "aud":"https://sp.example.com/caep",
   "events":{
      "https://schemas.openid.net/secevent/caep/event-type/session-revoked":{
        "subject":{
          "format":"iss_sub",
          "iss":"https://org.okta.com",
          "sub":"okta-user-id1"
         },
        "reason_admin":{
          "en":"User logout from Okta"
         },
        "event_timestamp":1615304991643
      }
   }
}

CAEP Credential Change - user.mfa.factor.activate

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "fido2-roaming",
      "change_type": "create",
      "fido2_aaguid": "accced6a-63f5-490a-9eea-e59bc1896cfc",
      "friendly_name": "FIDO_WEBAUTHN",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Activate factor for user"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.mfa.factor.deactivate

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "x509",
      "change_type": "delete",
      "friendly_name": "SMART_CARD",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Reset factor for user"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.mfa.factor.reset_all

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "ALL_FACTORS",
      "change_type": "revoke",
      "friendly_name": "ALL_FACTORS",
      "initiating_entity": "user",
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.mfa.factor.suspend

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "OKTA_VERIFY_PUSH",
      "change_type": "update",
      "friendly_name": "OKTA_VERIFY_PUSH",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Suspend factor for user"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.mfa.factor.unsuspend

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "phone-sms",
      "change_type": "update",
      "friendly_name": "SMS_FACTOR",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Unsuspend factor for user"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.mfa.factor.update

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "DUO_SECURITY",
      "change_type": "update",
      "friendly_name": "DUO_SECURITY",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Update factor for user"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.account.reset_password

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "password",
      "change_type": "revoke",
      "friendly_name": "PASSWORD_AS_FACTOR",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "Fired when the user's Okta password is reset"
      },
      "event_timestamp": 1615304991643
    }
  }
}

CAEP Credential Change - user.account.update_password

{
  "iss": "https://transmitter.okta.com",
  "jti": "set-07efd930f0977e4fcc1149a733ce7f78",
  "iat": 1615305159,
  "aud": "https://receiverexample.com",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/credential-change": {
      "subject": {
        "format": "iss_sub",
        "iss": "https://transmitter.okta.com",
        "sub": "okta-user-id1"
      },
      "credential_type": "password",
      "change_type": "revoke",
      "friendly_name": "PASSWORD_AS_FACTOR",
      "initiating_entity": "user",
      "reason_admin": {
        "en": "User update password for Okta"
      },
      "event_timestamp": 1615304991643
    }
  }
}